Forefront Identity Manager 2010:In ProductionJoe Schulman Adrienne WuProgram Manager Program ManagerMicrosoft Corporation Microsoft Corporation

SESSION CODE: SIA319

PrerequisitesGeneral knowledge of Forefront Identity Manager (FIM)

SIA318 “Deploying FIM”

Across on-premises & cloud

Business Ready SecurityHelp securely enable business by managing risk and empowering people

Integrate and extend securityacross the enterprise

Block

from:

Enable

Cost Value

Siloed Seamless

to:

Simplify the security experience, manage compliance

Protect everywhere,access anywhere

Highly Secure & Interoperable Platform

Identity

Woodgrove BankFictitious Organization

15,000+ employees19 IT Specialists3 Continents

Self-service Password ResetGroup ManagementProvisioning

I deployed FIM… now what?

Today’s GoalsHow do I manage FIM in production?

Change managementDisaster recoveryMonitor availabilityRespond to helpdesk tickets

How do I measure and demonstrate value of FIM?

General FIM ResourcesMicrosoft Supported – TechNet

http://technet.microsoft.com/en-us/library/ee621258(WS.10).aspx http://technet.microsoft.com/en-us/forefront/default.aspx

Communityhttp://social.technet.microsoft.com/Forums/en-US/ilm2/threads https://connect.microsoft.com/site433

Woodgrove’s FIM Deployment

Woodgrove’s FIM Deployment

SQL Server stores FIM’s state

Woodgrove’s FIM Deployment

Dedicated “Admin” Portal and Service

Demo – Fully configured FIM in production

Change Management

The basics of Change Management in FIMSeparate pilot environment from production

Make all changes in pilot and test in pilot

Migrate changes to production using PowerShell scripts

Philosophy of FIM Change ManagementFIM’s value is automating changes in connected systems.

Automation or “policy” is customer-specific.Most connected systems do not have “Undo” or “Recycle Bin”Getting policy wrong means unintended consequences

We don’t want you accidentally to automate de-provisioning all employees!

We recommend separate lab environment with representative topologyUse config migration process to push changes into production

Production

Pilot

Production

Pilot

Production

Pilot

Demo – Using PowerShell to commit changes

ConsiderationsDo not

Delete out of box objectsRename out of box objectsMake changes in productionModify the intermediate XML

DoFollow the published guide

Disaster Recovery

The basics of FIM disaster recoverySQL, SQL, SQL!

Backup and restore FIM Service and Synchronization Service SQL in lock-step

See the guide for more details

Test your backups

Woodgrove’s FIM Deployment

Backup SQL

Backup SQL

Recommended FIM Backup Schedule

FIM component Full backup frequency Incremental backup frequency

FIM Service Database Daily In accordance with organizational policies.*

FIM Service .NET Application Configuration File

Every time after installing or changing the configuration file

Same as full backup frequency

FIM Service Registry Key Values

Every time after installing or changing the registry key values

Same as full backup frequency

* If incremental backup is not planned, the database should be set to simple recovery mode.

Recommended FIM Backup Schedule

FIM component Full backup frequency Incremental backup frequency

FIM Synchronization Service Database Daily In accordance with

organizational policiesFIM Synchronization Service Synchronization Configuration

Every time after installing or changing the management agent configuration

Same as full backup frequency

FIM Synchronization Encryption Keys

Every time after installing or changing encryption key values

Same as full backup frequency

FIM Portal Only when you change the web.config file

Same as full backup frequency

Testing backupsFailing to test a backup can be as bad as not having a backup

Define a test plan with a couple core scenariosEnd users can join groupsEnd users can approve requestsEnd users can reset passwordsChanges in FIM flow out to connected systems

For HA and DR, consider clustering SQL

Cluster SQL

Demo – Restoring after a disaster

Monitoring Availability

The basics of Monitoring AvailabilityPrioritize end user scenarios first

Use Operations Manager 2007

Use existing MPs for SQL and Windows Server

What to monitor

End user availability

End user availabilityCan end users accomplish self-service?

This is the primary monitoring scenario for most people

Use Operations Manager 2007 Web Application MonitorSee the MP Guide for a synthetic transaction to configure

Supplement Web App Monitor with FIM MP MonitorsE.g. Monitor FIM service

Demo – How to Monitor Availability

SQL Availability

SQL AvailabilityE.g. Does SQL have enough disk space?

SQL failures = FIM failures

FIM MP does not provide monitors for SQL

Use the SQL MP for monitoring SQL in production

Sync Availability

Sync AvailabilityDid my Run Profile execute?

The FIM MP monitors for Sync Service configuration failuresE.g. Were there errors during a sync?

Need to tune the MP to meet your specific sync scenario.Need to add instrumentation to way you execute run profiles.

Responding to helpdesk tickets

The basics of troubleshootingHelpdesk tickets still arise

“Can’t reset my password”“Can’t access the portal”“Can’t approve this request”

Refer to the troubleshooting guideRequest resources store audit and troubleshootingDon’t rely on the management pack for troubleshooting

Five Diagnostic Techniques

1. Requests2. MPR Explorer3. SOAP Faults4. Event Viewer5. Diagnostic Tracing

* At the end of the deck there are slides that answer what these techniques are, when to use them, and why they are useful.

End user access to the portal – AD isn’t enough

Workflows, Approvals, and Admin Box

Exchange connectivity is intermittent

PowerShell as a troubleshooting aidSometimes it’s easier to read and write “raw” views of FIM resources

Reset a value which isn’t exposed in the UI

PowerShell provides a supported web service client

See the example scripts on FIM ScriptBox

Measuring Value of FIM

The basics of measuring Value for FIMFIM provides a lot of value in many different ways

Certificate managementAutomated provisioningCriteria-based (dynamic) groupsSelf-service identity management

Measuring value is environment-specific, but here are pointers

Measuring value for self-service scenariosEnd users calling helpdesk costs ~$30 per password reset

Value of self-service is the number of reduced helpdesk calls

Report on the number of self-service password resetsNot a feature in FIM today; consider partner like Omada to helpUse this pattern to measure value of group management and approvals

Demo – Determining how many people reset passwords

XPath Queries for Password Reset Search ScopeAll Password Reset Requests

All Completed Password Reset Requests

/Request[Creator='b0b36673-d43b-4cfa-a7a2-aff14fd90522' and Operation='Put']

/Request[Creator='b0b36673-d43b-4cfa-a7a2-aff14fd90522' and RequestStatus=‘Completed']

Measuring value for automated provisioningCopying and pasting Users in Active Directory is prone to error

Value of automation based on policy is always-in-compliance users

Report the number of changes to user resources which you no longer have to track manually

Similar pattern to self-service password reset activity

Resources mentioned in this presentationDisaster Recovery

http://technet.microsoft.com/en-us/library/fim-2010-backup-and-restore-guide(WS.10).aspx

Config Migrationhttp://technet.microsoft.com/en-us/library/ee534906(WS.10).aspx

Troubleshooting Guidehttp://technet.microsoft.com/en-us/library/ff608271(WS.10).aspx

FIM ScriptBoxhttp://go.microsoft.com/fwlink/?LinkID=163230

INFRASTRUCTURE PLANNING AND DESIGN (IPD) GUIDEMicrosoft Forefront Identity Manager 2010What are IPD Guides?

Guidance & best practices for infrastructure planning of Microsoft technologies

Forefront Identity Manager 2010 Guide BenefitsHelps the architect to define the project scope by quickly assessing which specific identity management functionality the business needs, and for what resources

Based on the scope, identifies the FIM infrastructure components required to achieve the project goals

Determines the sizing, placement, and fault tolerance configuration of the FIM services, portals, and databases

It’s a free download!Go to www.microsoft.com/ipd

Check out the entire IPD series for streamlined IT infrastructure planning

“At the end of the day, IT operations is really about running your business as

efficiently as you can so you have more dollars left for innovation. IPD guides help

us achieve this.” Peter Zerger, Consulting Practice Lead for Management Solutions, AKOS Technology Services

Related Content

SIA318 – Deploying FIM

SIA03-INT – Deploying FIM and Chalk Talk

SIA06-INT Identity and Access Management Solution Demos

Track Resources

Learn more about our solutions:

http://www.microsoft.com/forefront

Try our products:http://www.microsoft.com/forefront/trial

Resources

www.microsoft.com/teched

Sessions On-Demand & Community Microsoft Certification & Training Resources

Resources for IT Professionals Resources for Developers

www.microsoft.com/learning

http://microsoft.com/technet http://microsoft.com/msdn

Learning

Complete an evaluation on CommNet and enter to win!

Sign up for Tech·Ed 2011 and save $500 starting June 8 – June 31st

http://northamerica.msteched.com/registration

You can also register at the

North America 2011 kiosk located at registrationJoin us in Atlanta next year

© 2010 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to

be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Appendix

Request Objects

What?FIM object that records progress of request

When?First choice for diagnosticsDiagnosing failures from user actions that occurred in the past. Other techniques require repro.

Why?Records which MPRs applied to Records errors from workflow activities

Example: Can’t Reset Password

Demo: End user gets failure when resetting password after registering.Problem: The MPR granting permission to anonymous users to reset passwords is not configured.Diagnostics: Administrator inspects the request object and sees no applied policy.Solution: Administrator modifies existing MPR to grant permission to reset passwords.

MPR Explorer

What?RC1 feature that simulates request object.

When?Request object not available.Predict applied policies without making requests.

Why?Executes query to find matching policy.No change to the system since it simulates requests.

Example: Wrong Policy Applied

Demo: HR user attempts to modify title of someone in finance department.Problem: The MPR granting permission to HR user to set title is not present.Diagnostics: Administrator uses MPR Explorer and notes that no MPR is applied as policy.Solution: Administrator creates MPR, Set, Notification Activity Workflow, and Email Template to enable policy.

SOAP Faults

What?SOAP message that indicates failure

When?Diagnosing failures with custom clients

Why?Provides info on both failures with structure and content of SOAP request.Vital for diagnosing structural problems of custom clients.

Notable SOAP Faults

Invalid RepresentationSomething is wrong with the data sent in.

Permission DeniedGeneric catch-all indicating multiple types of failures.

Authorization RequiredRequest was successfully processed, but an AuthZ workflow is running.

Event Viewer

What?Windows events stored in the event logTwo types:

Health Events Diagnostic Events

Health Events

What?Targeted events that indicate specific root-cause failureWritten to the Application logConsumed by Management Pack

When?To detect cross-cutting failures, independent of requests.

Why?Reported by components upon specific, known errors.

Diagnostic Events

What?“Errors” detected by service. Mostly noise, but useful to investigate one-off failures.Written to Forefront Identity Manager log for FIM Service and Application log for FIM Sync Service

When?To correlate low-level exception information with failures elsewhere.Specifically useful for seeing failures in workflows and requests.

Why?Records low-level info for all .NET exceptions.

Example: FIM MA Export Failures

Demo: Administrator flows data which violates validation and FIM MA Export FailsProblem: The source data or validation rule need to be changed so they match.Diagnostics: Administrator looks at error in Identity Manager and correlates with information in event viewer.Solution: Administrator relaxes the validation rule so the data can be exported.

Diagnostic Tracing

What?“Blunt Instrument of Last Resort”Contains much noise

When?As a last resort, usually at direction of PSSUseful for custom client failures

Why?Requires service restartNon-trivial performance degradationMicrosoft.ResourceManagement trace source.See MSDN for guide to enable.

Example: Exchange Failures

Demo: FIM does not receive incoming mail from outlook and does not send approval mail.Problem: FIM is configured to connect to exchange without SSL.Diagnostics: Administrator sees failure to connect to exchange in event viewer and diagnostic tracing.Solution: Update configuration file.

JUNE 7-10, 2010 | NEW ORLEANS, LA